- Google provider: report malformed SSE stream JSON with provider-owned errors instead of leaking raw parser failures.

- Node host: report malformed built-in invoke `paramsJSON` with stable invalid-request errors instead of leaking raw parser failures.

- Amazon Bedrock embeddings: report malformed provider response JSON with provider-owned errors instead of leaking raw parser failures.

- QQBot: report malformed access-token JSON with provider-owned errors instead of leaking raw parser failures.

- Models config/auth: stop inferring provider env-var markers from broad `^[A-Z_][A-Z0-9_]*$` strings, and resolve config-backed provider `apiKey` values only through structured env SecretRefs (`secrets.providers[id]` / `secrets.defaults`), so unrelated env vars cannot accidentally become provider credentials. Thanks @sallyom.

- Media fetch: skip allocating and buffering the response body for bodyless media responses (HEAD probes and 204-style empty bodies), avoiding wasted heap on streams that carry no payload. Thanks @shakkernerd.

- CLI/onboarding: forward provider-specific auth flags (e.g. `--openai-api-key`) through the onboarding wizard so they reach provider auth methods via `ctx.opts`, letting `--openai-api-key "$OPENAI_API_KEY"` skip the redundant "use existing env var?" prompt in non-interactive harnesses. (#81669) Thanks @sjf.

import { afterEach, describe, expect, it, vi } from "vitest";

import { TokenManager } from "./token.js";

describe("QQBot token manager", () => {

afterEach(() => {

vi.unstubAllGlobals();

});

it("wraps malformed access token JSON", async () => {

vi.stubGlobal(

"fetch",

vi.fn().mockResolvedValue(

new Response("{not json", {

status: 200,

headers: { "content-type": "application/json" },

}),

),

);

await expect(new TokenManager().getAccessToken("app-id", "secret")).rejects.toThrow(

"QQBot access_token response was malformed JSON",

);

});

});

`[qqbot:token:${appId}] <<< ${response.status}${traceId ? ` | TraceId: ${traceId}` : ""}`,

);

let data: { access_token?: string; expires_in?: number };

let rawBody: string;

try {

const rawBody = await response.text();

const logBody = rawBody.replace(/"access_token"\s*:\s*"[^"]+"/g, '"access_token": "***"');

this.logger?.debug?.(`[qqbot:token:${appId}] <<< Body: ${logBody}`);

data = JSON.parse(rawBody);

rawBody = await response.text();

} catch (err) {

throw new Error(`Failed to parse access_token response: ${formatErrorMessage(err)}`, {

throw new Error(`Failed to read access_token response: ${formatErrorMessage(err)}`, {

cause: err,

});

}

const logBody = rawBody.replace(/"access_token"\s*:\s*"[^"]+"/g, '"access_token": "***"');

this.logger?.debug?.(`[qqbot:token:${appId}] <<< Body: ${logBody}`);

let data: { access_token?: string; expires_in?: number };

try {

data = JSON.parse(rawBody);

} catch {

throw new Error("QQBot access_token response was malformed JSON");

}

if (!data.access_token) {

throw new Error(`Failed to get access_token: ${JSON.stringify(data)}`);